Are Passwords Going to Become Obsolete in Payment Processing?

Passwords have become an outdated and imperfect way of keeping your data safe. Most people still tend to set worryingly weak passwords such as “123456” – which in 2013 overtook “password” as the most popular choice. In fact, according to an investigation conducted by Trustwave in 2015, weak passwords were responsible for roughly28% of all data breaches.

This is not restricted to the less tech-savvy among us: last year 2000 passwords belonging to hackers were leaked, revealing that they tended to make just as poor choices as the rest of us where it comes to passwords. Only 2% used the recommended mixture of lowercase, uppercase and numbers, and only 6% bothered to include special characters.

Hackers can use sophisticated algorithms to guess passwords by running through millions of combinations in a relatively short period of time until they find the right one. Once found, it usually means they have access to most if not all of that user’s data, since more than 50% of consumers use the same credentials across all their online accounts.

It would therefore seem there is a real need – especially in areas such as payment protection – for more efficient and secure ways of keeping and accessing sensitive customer and transaction data. In fact, today’s merchants are discovering the need to apply a layered approach to data protection, to help prevent transaction disputes and the resulting cost and resource drain of chargebacks. In short, single-factor authentication systems based on passwords simply don’t cut it any more, but already there are technologies available which make the authentication process faster and safer.

Multi-Factor Authentication (MFA) depends on the user to provide two or more pieces of information in order to gain access to a service. A classic example of this is an ATM, which requires you to present a bankcard and matching PIN number to withdraw money. Merchants and FinTech service providers that have not yet switched to MFA will likely need to consider their options for doing so in the near future. But what exactly does that entail? Generally speaking, the information required by MFA systems falls under three broad categories:

Something You Have: A physical object such as a bank card, USB fob, or a code-generating machine which many banks now provide. The pervasiveness and advanced security features of smartphones, however, have begun to render physical tokens as no longer of much use by banks, since online services tend to send authentication codes or messages directly to a user’s registered mobile device instead. Google Authentication even allows you to use this functionality offline in case there is no mobile signal, automatically opening the LaunchKey app and allowing the user to simply swipe their phone to display the received the code.

Something You Are: A physical characteristic of the user, such as fingerprint, voice, iris structure or facial features. Most smartphones now feature fingerprint recognition as standard, and facial recognition technology is also becoming more common. Experts predict that we will see increasing incorporation of biometrics into future authentication methods, following the success of features such as Touch ID on earlier versions of the iPhone and the widespread rise in the adoption of wearables. There are already wearables on the market that are capable of tracking a user’s pulse through a smart bracelet and providing authentication by identifying the unique rhythm of their heartbeat.

Something You Know: A secret piece of information only the user should be able to know and provide, such as PIN number, user name, answers to memorable questions, and password. Although passwords shouldn’t be used as the sole key to grant access to user accounts, they can, as a part of MFA, provide a useful added layer of security, since objects such as smartphones or tokens can be lost and even biometrics readers can be hacked into. Since we use our phones so much, they can be targeted as rich sources of identity-relevant contextual data. Soon, we could see a combination of biometric authentication and contextual authentication to provide sufficient assurance in medium-risk scenarios, so as to make “gateway” password-based authentication obsolete.

The bottom line is that single-factor security systems like passwords are low-hanging fruit for fraudsters. Technologies that enable multi-layered systems – while never entirely bullet-proof – at least tend to move that fruit upwards, making it much more difficult for fraudsters to pluck.

Yet in spite of these benefits many merchants are wary of adopting such enhanced security measures, as they are perceived to add friction to the payments process and might make customers less likely to conclude a purchase. Merchants should bear in mind that the worst possible user experience is to have one’s data hacked. Yet as technology advances, the choice between providing a seamless user experience and watertight security will increasingly become irrelevant, as stringent authentication will automatically access a broad range of user data without requiring users to engage in any complicated processes.

Merchants also have an opportunity to fine tune these upfront fraud screening mechanisms to reduce friction and false sales declines, with additional post-transactions services to help identify and resolve problems on the back-end. Verifi’s Cardholder Dispute Resolution Network (CDRN) helps issuers and merchants collaborate on customer disputes in near real-time to resolve both fraud and non-fraud cases seamlessly, before they turn into costly chargebacks post-sale. By layering both existing and emerging pre- and post-sale fraud prevention tools like CDRN together, merchants can resolve fraud cases without added chargeback expenses and allow more legitimate sales to flow through, and as such to be scalable as the payments landscape continues to evolve. It’s a win for the customer, the merchant, and the issuer alike.